Automation

Putting security awareness and phishing training on auto-pilot at the Managing Director level

Publishing Factory does a security audit every 2 years and decided in 2018 to mature their security posture. Being a digital services company, they like to stay at the cutting edge of automated platform services, and found Hoxhunt. But they had a few critical conditions and goals for a security program:

• Full automation 
• GDPR compliance – “We take this very seriously”—Pierre Guiol, Managing Director
• Seamless integration with Google GSuite
• Measurable behavior change results
• 100% engagement

Hoxhunt was chosen because it not only satisfied that basic criteria, but offered an innovative approach to security behavior change via automation and gamification. Publishing Factory likes to stay at the cutting edge of digital services, and appreciated that.

“We selected Hoxhunt after looking at several options, and I must say that one year later I am very happy not only with what we bought but with what are getting on top of what we initially bought. There are many new features becoming available all of the time. For instance we have signed up for the security awareness training on top of the original phishing training. I like the quality of the simulations and all the phishing tests at the base level, and we will activate the Spicy Mode to take training to the next level.” --Pierre Guiol, Managing Director of Publishing Factory

The security program metrics for Publishing Factory are remarkable. Dividing their aspirational 93.5% participation rate by their admirable failure rate of 2%, Publishing Factory boasts a resilience score of 46.75. Most companies are happy with 10, and strive for a score of 12. A scant few reach 20; but 46.75 is fantastic. 

These results are all the more impressive considering that Publishing Factory is managing the program largely by themselves, opting for an automated phishing training package with limited customer support. 

“I like the quality of the phishing simulations, and the way different ones are sent at different times to different people,” said Pierre. “It keeps security at the front of people’s minds. But my favorite part is that training is automatic. It is very low maintenance. I get involved only when someone is reluctant: to change their mind.”

But a SaaS security behavior change platform can’t take all the credit for this level of results. So the question begs:

How did they do it? 

‍

Culture

Security leadership starts at the top 

To begin, they made security a key priority. That starts with putting the Managing Director in charge of the program, along with their Technical Project Manager, Sara Jimenez. Together, they make it clear to each of their colleagues, from the top down, that security is a vital business function and a shared responsibility. 

“Most people don’t think about cybersecurity unless they have to do consistent training," said Sara. "If it’s just one day, they make a check mark and then move on.”

If the Hoxhunt user performance results show that someone is falling behind in their training, or could use a bit of assistance, one of them pays them a friendly visit and communicates the value of security. And that means anyone.

“I personally went to all the senior staff of the company and asked them to do the training because they are the most important people in the company for us and for the attackers,” said Pierre. “If you don’t do the training then it’s useless to try and only protect everyone else because you are the front door for the company. It is like leaving the bank vault open if you don’t protect yourself.’”

‍

Measuring meaningful results 

Focus on participation, not failure

Publishing Factory focuses on participation rates. Since the beginning they’ve strived for 100% engagement. This is the best approach to security behavior change. Most security awareness tools and programs focus on failure rate, meaning the rate at which employees click on a phishing simulation and thus fail the test. This focus on failure is flawed because it ignores how many employees are engaged in the security training, and otherwise reporting phishing simulations or detecting real threats via the Hoxhunt threat reporting button. 

Publishing Factory has learned to turn this thinking on its head. Sara, for instance, relayed the time that a phishing simulation about Google ads hit an employee at just the right time, when he was working with them. He panicked and while he ultimately flagged the email with the Hoxhunt button, he asked Sara, “Does Hoxhunt want to give me a heart attack?”

Pierre explained that this security training experience demonstrated clear benefits. In fact, Publishing Factory is opting into the Hoxhunt “Spicy Mode” training, in which the phishing attacks become more personal and more targeted to reflect higher levels of social engineering.

“This is exactly what must be done: to touch people where security issues are most sensitive, so it’s perfect,” he said. “It doesn’t matter if someone fails. The more difficult the training is, the better.”

Focusing on failure leads to failure. The most important thing is that people learn how to spot and report a suspicious email, until it becomes a matter of habit.

“The failure rate in training means that people are getting trained. Some just see ‘failure’ and don’t see the training behind that, they see just that we have a risk. The real failure is if people are not trained. It’s not the failure rate.”

‍